MTK is a place to share data forensic tips learned throughout the course of loud keyboard banging.
PGP Key http://bit.ly/UckgPW

Thursday, July 3, 2014

Random Offset Hiding of TrueCrypt Containers

Have you ever had to need to completely hide encrypted data and
know that if you had to, you could successfully deny its existence? Have you ever dreamed of hiding an encrypted
container in unpartitioned free space?
No... Neither have I, but we
stumbled across a neat little trick and wanted to share with you.

While playing around with with the command line, we wanted to see
if one could use dd to consecutively write two individually created filesystems
to a thumb drive (without partitioning the drive). And if so, subsequently mount and use either
one of the filesystems to store and save files.
We learned that the answer is yes, so we decided to make one of the
filesystems an encrypted one.

The process is a bit time consuming, but the end result is that
you will end up with a device that will contain a fully functioning, usable,
unencrypted filesystem followed by a completely hidden encrypted one. The second encrypted filesystem will reside
in the free space of the drive. Since
the device will not be partitioned, only the first filesystem will be seen by
the operating system. Without the
existence of a partition table, not even forensic software will be able to spot
the existence of the second encrypted filesystem, so don't forget its starting sector offset!

At the time that we tested this theory, the credibility of the
TrueCrypt software was still strong. For
that reason, we used TrueCrypt to encrypt the encrypted filesystem. If your are of the belief that TrueCrypt is
no no longer secure, then you are welcomed to use other tools. The process should be repeatable and you can
adjust it to your needs. For the
purposes of this article I used a VmWare Player Virtual Machine with Ubuntu
14.04 installed on it. Let's get
started.

Installing the tools:

With the exception of TrueCrypt, all of the tools that we will use
are either included in Ubuntu by default, or can be downloaded from the Ubuntu
Software Center. TrueCrypt is still
available for download. Steve Gibson
@SGgrc, the creator of SpinRite, stores the latest version of TrueCrypt on his website. Find it here. After download, if you want a bit of peace of mind, check
the hashes against known file hashes independently stored on other sites, like this one.

The other tools that we will need to accomplish this scenario are
dd, and sleuthkit. Dd comes
pre-installed in Ubuntu, so lets install sleuthkit.

We will install the tools form the command line. Open a Terminal window, In Ubuntu you can
accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash
Home and typing in “terminal”. Type the
following into the terminal to install sleuthkit from the apt-get
repositories.

$ sudo
apt-get install hexedit sleuthkit

You will be prompted for your root password. Enter your root password and wait for the
program(s) to install. This procedure
will install sleuthkit version 3.2.3, which will work fine for what we
need. As of this writing the latest
version is 4.3.1. If you want to use the
latest, you have to compile it from source.
We can go over that a different day.

Now that you have the tools that we need, the next step is to
prepare a working folder for us to store our working copies of our data. Go to your desktop, right click on your
desktop and select “create new folder”, name it “Test”.

Navigate to the previously created Test folder on the
desktop. We will use the CD command to
change directory into the desktop. Type
the following into the terminal.

$ cd /home/carlos/Desktop/Test/

Replace “carlos” with
the name of the user account you are currently logged on as. After doing so, press enter. You should receive these results.

This will be the directory were we will create our filesystems
and/or whatever data we plan on using as a working copy of a file.

The test:

The first step in our process is to create the first filesystem
that will later be written to our drive.
It will be an unencrypted filesystem that you can use to store any
non-sensitive data, or any data for that matter.

Since two independent filesystems will be residing on our drive,
you will have to decide how large each of your filesystems will be. For the purposes of this article, I will be
using a 64MB thumb drive to store our filesystems. I chose a very tiny thumb
drive so that I could make the image available to you, if you wish to download
it. Find it here. Each of my filesystems will be 25MB in size. The password is "mtk". Continuing...

From the terminal, type the below command

$ dd if=/dev/urandom of=1st25mb_unencrypted.dd bs=512
count=50000

Dd is a common Linux program whose primary purpose is the low
level copying and conversion of raw data.
The if= tells dd to read from file.
In this instance the file is /dev/urandom, which is an interface to the
kernel's random number generator. The
of= tells dd to write to a file, which will be a file called
1st25mb_unencrypted.dd. Bs is the block
size of data to be used, and count tells dd to write fifty thousand blocks of
512 bytes. The result is that we will
end up with a data chunk that contains exactly 50,000 blocks of 512 bytes. Multiply 50,000 by 512 and then divide it by
1024 and you will get 25MB.

This should be the resulting data chunk. The ls -l command is the command to list
files with the -l argument that uses the long listing format.

Once the data chunk has been created use the below command to
format the data chunk into a functioning Fat-16 filesystem with volume label
“MTK.” Fat-16 worked best for the data
chunk that we created. You can use a
different filesystem if you choose.

$ mkfs.vfat
-F 16 -n MTK -v 1st25mb_unencrypted.dd

Mkfs.vfat is the command to create an MS-DOS filesystem under
Linux, -F Specifies the type of file allocation tables used, -n sets the volume
name (label) of the filesystem and -v will give us verbose output.

Success we have formated the data chunk. If you want to look at the filesystems
statistics of the data chunk, you can use the sleuthkit command fsstat, which
will provide just that. Type the below
command and press enter

$ fsstat
1st25mb_unencrypted.dd

The next step is to create our encrypted filesystem using
TrueCrypt. There are many tutorials
online on how to do this. I don't want
to go over the steps of creating one here due to the many options available and
how much longer it would make the write up.
A good article on how to create a container can be found on the
Howtogeek site. I went ahead and created a 25mb container
using all the defaults and the password mtk (lowercase). I named the container 2nd25mb_encrypted.dd.

I also mounted the encrypted container and added a file titled
SecretFile.txt. You can use the same
article from Howtogeek for instructions on this. Once you have added a file to the container
use TrueCrypt to unmount it.

Now comes the fun part.
Find a thumb drive that we can write these filesystems to. I inserted my 64mb thumb drive to my VM and
ran the below command to identify it.

Cat is the command to concatenate (combine) the two chunks one
after the other. The “|” is known as a
pipe. A pipe is a technique in Linux for
passing information from one program process to another. Dd saw the two chunks that were passed to it
and wrote them contiguously to the 64MB thumb drive assigned as physical device
/dev/sdb.

Our thumb drive is now ready for deployment and use. Both of the filesystems are now residing on the drive. If you insert this drive into a Windows machine this is what you
would see. Windows only recognized the unencrypted filesystem and assigned it logical letter (F).

At this point the drive is fully functioning with a 25MB
filesystem that is capable of storing data.
Even the “MTK” volume label that we assigned is being recognized. To the untrained eye the drive looks
perfectly normal and if forced to show your files, only the non-sensitive data
would be seen. The trained eye or anyone
with a little knowhow will be able to see that a 64MB drive only contains a
25MB filesystem. Inspection of the free
space of the drive would only show noise and nothing else. Similar to the noise in the unallocated space
of the unencrypted filesystem, hence the reason why we chose /dev/urandom for
that data chunk. You can picture them
scratching their heads, but that may be the extent of it. Have you ever heard of an examiner
segregating the free space of a drive into its own file to look for encrypted
containers and run brute force attacks?
If you have, please tell us about it in the comments.

Accessing the encrypted container:

To access the encrypted container we are going to have to create a
loop device and then mount that loop with TrueCrypt. Because the free space of the drive contains an entire filesystem, that specific offset of the drive can then be
mounted as if it were a disk device.

Accomplish it with the below command.

$ sudo
losetup -o 25600000 /dev/loop0 /dev/sdb

Losetup is the command to set up and control loop devices, -o is
the argument to specify the offset to the encrypted container. This location has to be specified in
bytes. The container starts 25,600,000
bytes into the drive, which was the 50000 sectors of the unencrypted filesystem
times 512 bytes. /Dev/loop0 is the first
available loop mount and /dev/sdb is the 64MB thumb drive.

Lastly we need to decrypt the loop mount and mount it to a
previously created directory using TrueCrypt.
This step can be accomplished with the below command.

$ sudo
truecrypt -t /dev/loop0 /mnt/tc/

Truecrypt -t is to use the TrueCrypt program in text mode,
/dev/loop0 is the location of the loop and /mnt/tc is a previously created
mount point that I created using mkdir (no screenshot).

By running ls -l on /mnt/tc we can see that our previously created
file titled SecretFile.txt is now decrypted and available to us. The loop device was mounted in readwrite mode,
which means that any data that you add to this filesystem will be stored and
encrypted upon dismount.

Conclusion:

This was a time consuming process of creating a hidden encrypted
container to store sensitive data. It
probably doesn't offer any more security than the already available methods
through TrueCrypt. It simply was an
exercise on how to manipulate data chunks and filesystems using the shell.

If this procedure helped your investigation, we would like to hear from you. You can leave a comment or reach me on twitter: @carlos_cajigas

-----

Update 07/10/14: Bored? Notice that the last screenshot above tells us that "SecretFile.txt" contains 11 bytes of data. Download the image, mount the encrypted container, and be the first one to tell us what data is stored in the "SecretFile.txt". Leave it in the comments section. Remember to share a tip.-----Update 07/18/14: Gerry Stephen found the data inside of the txt file. He went about finding the data using his preferred method and he even described his way. Go to the comments section to see his tip.

4 comments:

Very nice Carlos! Didn't go the Linux route. Loaded the E01 file using EnCase and Noted the Volume Slack started at Physical Sector 49,997. Since your writeup stated the Encrypted Volume was 50,000 sectors, I went in 1,536 bytes [ 3 x 512] and carved out the rest. Mounted it using TrueCrypt and the password "mtk". Found the file "SecretFile.txt" with a Modified Date of 3 Jul 14 @ 3:52 PM. Inside was the text "SecretData".

Gerry, Way to go. That’s it. You found the “SecretData” Thanks for taking on the project. I like the way you went about it and thanks for letting us know of another way to accomplish the task. Thanks for the comment.